قالب وردپرس درنا توس
Home / Tips and Tricks / How to Manipulate User Credentials with a CSRF Attack «Null Byte :: WonderHowTo

How to Manipulate User Credentials with a CSRF Attack «Null Byte :: WonderHowTo



Web 2.0 technology provides a convenient way to post videos online, keep up with old friends on social networks, and even surf comfortably from your web browser. But if applications are poorly designed or misconfigured, certain errors can be exploited. Such an error, known as CSRF, allows an attacker to use a legitimate user session to make unauthorized queries to the server.

CSRF Basics

Cross-Site Request Forgery (CSRF) is a type of attack that abuses trust A web application has caused an authenticated user to make unwanted queries on behalf of the victim's browser To forward the attacker. Since CSRF does not send any kind of response to the attacker, it is said that this only affects state changing requirements, such as: The transfer of funds, the purchase of an item without the victim's knowledge, or the modification of user credentials. CSRF (sometimes pronounced Sea-Surf) is also referred to as XSRF, Session Riding or One-Click Attack.

A CSRF attack is usually accomplished by attempting to open a victim of a malicious file via social engineering or phishing. If the application is more vulnerable, as soon as the user opens the file, the function intended for the attacker is executed. In some cases, this attack can be run as a "Saved CSRF" in which the malicious commands can be stored in an image tag or hidden form on the web page. This type of CSRF is considered much more dangerous as the number of potential victims increases in addition to the fact that it is now stored on a legitimate side.

Step 1
: Prepare for the Attack

We will use DVWA, a vulnerable web application with common security vulnerabilities, to test our attack. Release it and log in with the default credentials, admin and password . Now go to "DVWA Security" on the left and set the security level to low ; This allows us to successfully carry out our attack.

Then click the CSRF tab to access the Cross-Domain Request Fake section. We can see that there is a password change feature on this page:

Right-click anywhere on this page to display the page source. Scroll down and find the following HTML form:

Copy this HTML code and use nano to create a new file in the terminal. To make this a little more realistic, we need to change the method to POST. Forms such as these rarely use a GET request because, among other things, they display the parameters directly in the URL that are not appropriate for sensitive data such as passwords.

  nano csrf.html

New password:

Confirm new password:

Press Ctrl-X Y and Enter to save. Now we can open this file in the browser by double-clicking it and it should look exactly like the form we saw earlier:

Step 2: Modify the Target file 19659003] We need to modify this file a bit so that it will automatically be sent when the victim opens. First, create the necessary html head and body elements. We can add JavaScript in the header to automatically submit the form by creating a function called autoSubmit . For this to work, we must also give the form a name (we call it aptly myForm ).

Next we can use the onload tag function will be executed when the page loads. We can then add a new value to the password and password confirmation fields and hide these fields. Finally, replace the number sign with the correct URL, and when this page is loaded, the password is changed.

  







New password:

Confirm new password:

Step 3: Change the admin password

Now we are ready to carry out our attack, which is carried out in various ways with the help of social engineering or phishing techniques can be. All we have to do is get the victim to load this page. For example, we can use a URL shortener such as Bitly or Goo.gl to disguise the link.

To show that this was successful, you can use the "Inspect Element" page to view the link after loading the POST request. We can see that the parameters contain the new password we created earlier: [19659027] How To Manipulate User Credentials With A CSRF Attack ” width=”532″ height=”532″ style=”max-width:532px;height:auto;”/>

From here, the administrator is essentially excluded from the account and we set the new password so we can log in as an administrator. Depending on the nature of the web application, we can now do everything from changing user information to using that account to attack other systems.

Prevent CSRF Attacks

There are many ways to successfully prevent CSRF attacks. Many frameworks such as Spring, Struts, Ruby on Rails, and others have built-in CSRF protection features.

One of the best ways to prevent this type of attack is to check header origins. The source header can be used to determine if the origin of the source is actually from the request. The destination origin is a bit more difficult to identify, since one or more proxies usually sit in front of the application server. In these cases, the host header can be used to verify the destination origin as well as the X-forwarded host header, although this is possible.

Another method of defending against CSRF attacks involves the use of tokens. Synchronizer tokens can be used to validate server-side requests by assigning a random token for each state change activity. If storing a CSRF token in a session state is not possible, other techniques such as double-cookie submission, encrypted token, and custom request headers can be used.

Sometimes it's easier to involve the user to prevent CSRF. A challenge-response method would require the user to re-authenticate or resolve a CAPTCHA for high-risk queries. Another alternative to user interaction is the SameSite cookie attribute, which prevents the cookie from being sent for multi-site requests.

Another method: CSRF with OWASP ZAP

Cross-site query fake can have a severe impact on how an authenticated user's session exploits it. While information theft does not play a part in this attack, CSRF can lead to other devastating consequences, such as credential manipulation and unauthorized financial transactions. In the next article, we take a look at the popular web application scanner OWASP ZAP and configure it for an automated CSRF attack.

Cover Picture by xresch / Pixabay; Screenshots of drd_ / zero byte

Source link